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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


O Yes 


x] No 


Q2 If not, please specify where improvements could be made. 


e We suggest that the code would benefit from a greater focus on 
the issue of sharing of employee data with third parties. We whole 
heartedly welcome the example cited on page 102, which looks at 
issues around disclosure of personal data about employees with 
an anti-fraud body. However, we would propose that the ICO 
includes additional steer for employers. We are thinking in 
particular of sharing of employee data under TUPE. We are 
conscious that the ICO’s Disclosure of employee information under 
TUPE is now five years’ old. We would contend that a high number 
of organisations would welcome an update to this guidance 
document, or at least a reference to it within this draft code. 

e We believe that another area of focus that would resonate with 
very many data controllers would be sharing of information in the 
course of processing Subject Access Requests (SARs). For 
example, an organisation may need to engage other data subjects 
when dealing with dealing with SARs involving other people’s 
information. Taking the ‘three-step approach to dealing with 
information about third parties’ in line with Section 7 of the ICO’s 
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Subject Access Code of Practice will require the data controller to 
share limited information with others, for example to assess 
whether a duty of confidentiality applies. As an organisation, our 
Data Protection Office has established some principles around 
this, however we would suggest that a case study illustrating the 
assessment of legitimate interests in data sharing within a SAR 
would be beneficial. 


Q3 Does the draft code cover the right issues about data sharing? 
O Yes 


Xx] No 


Q4 If no, what other issues would you like to be covered in it? 


We would suggest that the duty of confidentiality should feature in this 
code. A clear explanation for data controllers on how to gauge whether 
information has the necessary quality of confidentiality will help them 
determine whether it can be shared or not. 


Q5 Does the draft code contain the right level of detail? 
xX Yes 


O No 


Q6 Ifno, in what areas should there be more detail within the draft 
code? 
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Whilst we welcome the ‘myth-busting’ around consent being the only 
valid lawful basis, we think that more detail should be provided. For 
example, we are sure that many data controllers would like to see a 
checklist or infographic for organisations to reuse, explaining clearly to 
data subjects the different lawful bases. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


x] Yes 


O No 


Q8__siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


In particular, we welcome the focus on data ethics. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


O Yes 


x] No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 
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The draft code’s focus on the ‘how’ of sharing - and in particular on 
security — is greatly welcomed. However, we think that the document 
would be enhanced with a case study that illustrates that data 
controllers should feel empowered to refuse to share data in cases 
where they believe that there are risks to the rights and freedoms of 
data subjects. It would be particularly significant if the example 
discussed requests from organisations who may hold more power. For 
instance, if the case study highlighted that an auditor or government 
body cannot reasonably request data to be transferred to a platform 
that is not compliant with GDPR Article 44, this would help controllers 
more confidently challenge such requests. 


Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


K Yes 


O No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


O Yes 


xX] No 
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Q14 Please provide any further comments or suggestions you may have 


Q15 


Q16 


about the draft code. 


We wonder if there would be scope to include more examples 
drawn from the private sector? In addition, we feel that the code 
would be improved by examples of SME organisations who may 
not have large budgets and legal departments and rely on 
guidance. 

Whilst in response to question 15 below, we agree that the code is 
comprehensible, we would ask the ICO to consider if the tone and 
language is appropriate for all sorts of data controllers. 

We would suggest that another example that would be of great 
assistance to a number of organisations would be sharing of data 
in the event of a grievance or disciplinary investigation. We are 
thinking in particular of sharing of witness statements in response 
to a SAR. We think it shines the spotlight on a number of areas 
that data controller need to consider: lawful basis, duty of 
confidentiality and guidance from other bodies such as Acas. 
There is not currently coverage of this within the ICO SAR Code of 
Practice, so feel it would increase the knowledge base for 
organisations on data sharing. 


To what extent do you agree that the draft code is clear and easy 
to understand? 


[| Strongly agree 
X Agree 
Neither agree nor disagree 


Disagree 


O UO gð 


Strongly disagree 
Are you answering as: 


L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


L] An individual acting in a professional capacity 


X On behalf of an organisation 


O Other 


Please specify the name of your organisation: 
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Communisis Limited 


Thank you for taking the time to share your views and experience. 


